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Introduction to Qualys FIM for QRadar - QRadar 7.3.3 FP6+/7.4.1 
FP2+/7.4.2 GA* 


Use the Qualys FIM for QRadar to ingest your Qualys FIM Events, FIM Ignored Events and FIM 
Incidents into QRadar. To view the data, go to QRadar's Log Activity tab or the application 
Dashboard. All you need to do is install the app, configure the app and schedule the sync. The 
Qualys FIM App will continuously pull your event delta. Want to visualize historical data? Just 
use date-time pickers given in the QRadar's Activity log or application Dashboard to check the 
useful information. 


Features 


- Fetch the FIM events, ignored events and FIM incidents from Qualys to ingest into 
QRadar 

- Search the ingested data in the QRadar using "Log Activity" tab or use the Dashboard with 
different widgets to view the data. 


Prerequisites 


Make sure you have: 
- A valid Qualys subscription 
- API access to Qualys FIM module 
- Internet access and your Qualys API server must be reachable from QRadar 


Note: This app is compatible with these versions only- QRadar 7.3.3 FP6, 7.4.1 FP2, 7.4.2GA+ 


Install the App 


1) Login to QRadar and go to the Admin tab > Extensions Management and click Add. 
2) Select the extensions .zip file for FIM app. 
e Before installing the app, check if the Content of the app is correct. 
e Confirm whether you want to replace/skip any existing contents with those 
coming from the extension and click Install. 


Note: If the user is using QRadar version 7.4.x, then it is mandatory to select the Start a 
default instance of each app check-box before clicking the Install button. 


Once installation is completed, refresh your QRadar user interface. 
After installation of the app, check if all the details appear as required for the following 
settings: 
e Admin > Custom Event Properties 
e Admin > Log Source 
e Admin > Log Source Extensions 
e Admin > DSM Editor 
5) User must perform the DSM Editor steps before configuring the App. 
6) Then configure the Qualys FIM app. 


Eee 


Validating Dependencies 


Please go through each of the sections listed below. You need to carry out the following steps 
manually, right after you install the app and before you start using it. 
Note: Some sections may not be applicable in your case, and you may need to skip them. 
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DSM Editor 
Qualys FIM JSON 


In Configuration tab, check if the following fields are set with values as mentioned in the 
following: 


1) Select Log Source Type ( Qualys FIM JSON ) > Configuration > Log Source Autodetection 
Configuration > Enable Log Source Autodetection: enabled 


2) Click Show Advanced Options, and set the following as mentioned: 
- Minimum Successful Events for Autodetection: 2 
- Minimum Success Rate for Autodetection: 100 
- Attempted Parse Limit: as it is 
- Consecutive Failed Parse Limit: as it is 


Qualys FIM JSON 


Propertes Event Mappings Configuration 


Log Source Autodetection Configuration 


Enable Log Source Autodstection 

When events fram an unknown source are received, 

attempt to parse them with this log source type. If 
the parsing is sufficiently successful, automatically 

create a log source of this type 


Log Source Name Template 
Template for setting the name af autodelected log sources. Two variables can 
be used: SSDEVICE_TYPESS corresponds to log source type name, 
SSSOURCE_ADDRESSSS corresponds to the source address the events 
originate fram. 

SSOEVICE TYPESS @ SSSOURCE_ADDRESSSS 


Log Source Description Template 
Template for setting the description of sutodetected log sources. Two variable 
can be used: SSDEVICE_TYPESS corresponds to log source type name, 
SSSOURCE_ADDRESSSS corresponds to the source address the events 
originate fram. 
SSOEVICE_TYPESS device 

Hide Advanced Option: 
Minimum Successful Events for Autodetection 
Minimum number of events from an unknown 
source that must be successfully parsed for 
autodetection to occur. 


Minimum Succees Rate for Autodetection 


Minimum parsing success rate (percentage) for 


events from an unknown source for autodetection to 100 


occur. 


Attempted Parse Limit 
Maximum number of events from an unknawn 
source to attempt before abandoning autodetection. 


Consecutive Falled Paree Limit 
Number of consecutive events from an unknown 
source to abandon autodetection 


Property Autodetection Configuration 


Enable Property Autodetection 
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Qualys FIM INCIDENTS 


In Configuration tab, check if the following fields are set with values as mentioned in the 
following: 


1) Select Log Source Type ( Qualys FIM INCIDENT) > Configuration > Log Source 
Autodetection Configuration > Enable Log Source Autodetection: enabled 


2) Click Show Advanced Options, and set the following as mentioned: 
- Minimum Successful Events for Autodetection: 1 
- Minimum Success Rate for Autodetection: 100 
- Attempted Parse Limit: as it is 
- Consecutive Failed Parse Limit: as it is 


Qualys FIM INCIDENTS 


Properties Event Mappings Configuration 


Enable Log Source Autodetection 

When events from an unknown source are 

received, attempt to parse them with this log 

source type. If the parsing is sufficiently 
successful, automatically create a log source 

of this type. 


Log Source Name Template 
Template for setting the name of autodetected log sources. Two 
variables can be used: $SSDEVICE TYPESS corresponds to log sourci 
type name, SSSOURCE ADDRESSSS corresponds to the source 
address the events originate from 

$$DEVICE_TYPE$$ @ $S$80URCE ADDRESS$$ 


Log Source Description Template 
Template for setting the description of autodetected log sources. Two 
variables can be used: $$DEVICE TYPESS corresponds to log sourci 
type name, SSSOURCE ADDRESSSS corresponds to the source 
address the events originate from. 
$$DEVICE TYPE$$ device 
Hide Advanced Options 


Minimum Successful Events for Autodetection 

Minimum number of events from an unknown 

source that must be successfully parsed for Le 
autodetection to occur. 


Minimum Success Rate for Autodetection 
Minimum parsing success rate (percentage) 
for events from an unknown source for 
autodetection to occur. 


100 E 


Log Source Event Mapping 
Qualys FIM JSON 


1) Go to Admin > DSM Editor. 
2) In Select Log Source Type, search for “Qualys FIM JSON” and click Select. 
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Select Log Source Type 


Choose an existing Log Source Type to modify, or create a new Log Source Type 


Qualys FIM 


Qualys FIM INCIDENTS 


Qualys FIM JSON 


3) From the Qualys FIM JSON screen, go to Event Mappings tab. You can view mapping for 
FIM, EVENTS, FIM. IGNORED EVENTS and FIM INCIDENT EVENTS. 
If you don't see mapping for FIM EVENTS, FIM IGNORED EVENTS and FIM 
INCIDENT EVENTS create new (refer below steps). 
o 


Qualys FIM JSON 


Properties Event Mappings Configuration 


Filter 
Advanced Filter 


FIM EVENTS 


FIM EVENTS 


FIM IGNORED EVENTS 


FIM IGNORED EVENTS 


FIM INCIDENT EVENTS 


FIM. INCIDENT. EVENTS 


unknown 


Stored 


unknown 


unknown 


4) Click the Choose QID link. 
- High Level Category: Any 
- Low Level Category: Any 
- Log Source Type: Any 
- QID/Name: In this text box, user must search for Qualys FIM, click Search. 
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Search Results 
Name Severity High Level Category Low Level Category 


Qualys FIM Events 2 System Information 
This QID will map the QualysFimMultiline log source events in QRadar. 


Qualys FIM INCIDENTS Message 3 Unknown Stored 
QualysFIMINCIDENTSCustom Stored Event 


Qualys FIM Ignored Events 2 System Information 
This QID will map the QualysFimMultiline log source events in QRadar. 


Qualys FIM Incident Events 2 System Information 
This QID will map the QualysFimMultiline log source events in QRadar. 


Qualys FIM Incidents 2 System Information 
This QID will map the QualysFimIncidents log source events in QRadar. 


Qualys FIM JSON Message 3 Unknown Stored 
Search results will be displayed based on the QID/Name entered. 


5) Click +icon to add a new mapping. The “Create a new Event Mapping" pop-up opens. Set 
Event ID as "FIM. EVENTS, FIM IGNORED EVENTS and FIM INCIDENT EVENTS" (without 
quotes) and Category as "FIM EVENTS, FIM IGNORED EVENTS and 
FIM INCIDENT EVENTS" (without quotes). 

6) Choose the option Qualys FIM Events/Qualys FIM Ignored Events/Qualys FIM Incidents 

based on your requirement. 

7) Click OK. 

This takes you back to "Create a new Event Mapping" window. 

8) Click Create. This will take you back to "Event Mappings" window. 

You can verify the new event mapping created. 

9) Finally, click Save and close the window. 


Qualys FIM INCIDENTS 


1) Goto Admin » DSM Editor. 
2) In Select Log Source Type, search for "Qualys FIM INCIDENT" and click Select. 


Select Log Source Type 


Choose an existing Log Source Type to modify, or create a new Log Source Type 


Qualys FIM| 


Qualys FIM INCIDENTS 


Qualys FIM JSON 


Create New Cancel 


3) From the Qualys FIM INCIDENTS screen, go to Event Mappings tab. You can view 
mapping for FIM INCIDENT EVENTS. 
If you don't see mapping for FIM. INCIDENT EVENTS create new (refer below steps). 
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Qualys FIM INCIDENTS 


Properties Event Mappings Configuration 


Filter 
Advanced Filter 


FIM_INCIDENTS 


FIM_INCIDENTS 


unknown 


Stored 


unknown 


unknown 


4) Click + icon to add a new mapping. The "Create a new Event Mapping" pop-up opens. Set 
Event ID as "FIM INCIDENT EVENTS" (without quotes) and Category as 
"FIM. INCIDENT EVENTS" (without quotes). 
5) Click the Choose QID link. 
- High Level Category: Any 
- Low Level Category: Any 
- Log Source Type: Any 
- QID/Name: In this text box, user must search for Qualys FIM, click Search. 


Search Results 


Name Severity High Level Category Low Level Category 
Qualys FIM INCIDENTS Message 3 Unknown Stored 
QualysFIMINCIDENTSCustom Stored Event 

Qualys FIM Incident Events 2 System Information 


This QID will map the QualysFimMultiline log source events in QRadar. 


Qualys FIM Incidents 2 System Information 
This QID will map the QualysFimincidents log source events in QRadar. 


Search results will be displayed based on the QID/Name entered. 


6) Choose the option Qualys FIM Incidents. 

7) Click OK. 
This takes you back to "Create a new Event Mapping" window. 

8) Click Create. This will take you back to “Event Mappings” window. 
You can verify the new event mapping created. 

9) Finally, click Save and close the window. 
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Log Source 


Qualys FIM JSON 


When you install app, it will create a new Log Source named "QualysFimMultiline". 
Check if the log source is created and correctly configured after the installation. If the log source 
is not created, the following error is displayed. 


Overview Protocol 


Log Source Identifier Gwen 


Listen Port 
A value is required for this field 


Aggregation Method 
A value is required for this fiet 


Event Start Pattern 
"A value is required for this field. 


Event End Pattern 
'A value is required for this field 


Message ID Pattern 
'A value i required for this fied 


Event Formatter 
‘A value is required for this field. 


Show Advanced Options 
‘A value is required for this field 


Use Custom Source Name 
Source Name Regex 


Source Name Formatting String 
“A value is required for this field. 


Use As A Gateway Log Source 
Flatten Multiline Events Into Single Line 
Retain Entire Lines During Event Aggregation 


Time Limit 
‘A value is required for this field 


= = |S 


You need to create/edit the custom log source for the Qualys app using the following 
steps. Keep the configuration of custom log source same as that mentioned below:- 


1) Qualys FIM will send the data to QRadar console only. The user will not be able to use 
the app for distributed setup. 

2) On your console UI, go to Admin > Data Sources > Log Sources and click Add. 

3) Add the details shown below to the form to Create QualysFimMultiline Log Source. All 
fields marked with an asterisk (*) are mandatory. Make sure your Log Source Name and 
Log Source Identifier have same value. 


Property Value 

Log Source Name* QualysFimMultiline 
(Customizable) 

Log Source Description QualysFimMultiline 

Log Source Type* Qualys FIM JSON 

Protocol Configuration* TCP Multiline Syslog 

Log Source Identifier” QualysFimMultiline 


(Customizable, but same as Log 
Source Name) 


Listen Port 12400 (Customizable) 
Aggregation Method* Start/End Matching 
Event Start Pattern* [A-Z][a-z][a- 


z]\s\d\d\s\d\d:\d\d:\d\d\s 
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Event End Pattern* qualys_event_ends 
Event Formatter* No Formatting 

Show Advance Option* Yes 

Use Custom Source Name* Unchecked 

Use As A Gateway Log Source* Checked 

Flatten Multiline Events Into Single Checked 

Line* 

Retain Entire Lines During Event Checked 

Aggregation* 

Enabled* Checked 

Credibility 5 

Target Event Collector «default/your choice» 
Coalescing Events* Unchecked 

Store Event Payload* Checked 

Log Source Extension* QualysFIMJSONCustom ext 


Note: If you see the fields (listed below), which are not mandatory Qualys FIM app's log 
source while editing or creating the custom Qualys log source. 


Use Custom Source Name © e 
Source Name Regex © 
Source Name Formatting String * © 


Enable and then disable the "Use Custom Source Name" option. As a result, ORadar 
removes those fields from mandatory fields. 


Once you confirm the specified configurations are added or verified properly, click Save. 
With the above steps, you may create the required log source if it is not exist or edit the existing 


one, if its values are not configured as required. Then, go to Admin » Advance and click Deploy 
Full Configuration. 
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Qualys FIM INCIDENTS 


When you install app, it will create a new Log Source named “QualysFimIncidents”. 
Check if the log source is created and correctly configured after the installation. If the log source 
is not created, the following error is displayed. 


Log Source Identifier 


Listen Port 
"A value is required for this field. 


Aggregation Method 
*A value is required for this field. 


Event Start Pattern 
"A value is required for this field. 


Event End Pattern 
"A value is required for this field. 


Message ID Pattern 
A value is required for this field. 


Event Formatter 
"A value is required for this field. 


Show Advanced Options 
"A value is required for this field. 


Use Custom Source Name 
Source Name Regex 


Source Name Formatting String 
*A value is required for this field. 


Use As A Gateway Log Source 
Flatten Multiline Events Into Single Line 
Retain Entire Lines During Event Aggregation 


Time Limit 
"A value is required for this field. 


You need to create/edit the custom log source for the Qualys app using the following 
steps. Keep the configuration of custom log source same as that mentioned below:- 


1) Qualys FIM will send the data to QRadar console only. The user will not be able to use 
the app for distributed setup. 

2) On your console UI, go to Admin Data Sources Log Sources and click Add. 

3) Add the details shown below to the form to Create QualysFimIncidents Log Source. All 
fields marked with an asterisk (*) are mandatory. Make sure your Log Source Name and 
Log Source Identifier have same value. 


Property Value 

Log Source Name* QualysFimIncidents(Customiza 
ble) 

Log Source Description QualysFimIncidents 

Log Source Type* Qualys FIM INCIDENTS 

Protocol Configuration* TCP Multiline Syslog 
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Log Source Identifier* 


QualysFimIncidents 
(Customizable, but same as Log 
Source Name) 


Listen 


Port 


12400 (Customizable) 


Aggregation Method* 


Start/End Matching 


Event 


Start Pattern* 


[A-Z][a-z][a- 
z]\s\d\d\s\d\d:\d\d:\d\d\s 


Event End Pattern* qualys_event_ends 
Event Formatter* No Formatting 
Show Advance Option* Yes 

Use Custom Source Name* Unchecked 

Use As À Gateway Log Source* Checked 

Flatten Multiline Events Into Single Checked 

Line” 

Retain Entire Lines During Event Checked 
Aggregation* 

Enabled* Checked 
Credibility 5 

Target Event Collector <default/your choice> 
Coalescing Events* Unchecked 

Store Event Payload* Checked 


Log Source Extension* 


QualysFIMINCIDENTCustom_e 
xt 


Note: If you see the fields (listed below), which are not mandatory Qualys FIM app's log 


source while editing or creating the custom Qualys log source. 


Use Custom Source Name © 


Source 


Source 


Enable and then disable the "Use Custom Source Name" option. As a result, QRadar 


Name Regex © 


Name Formatting String * © 


OO» 


removes those fields from mandatory fields. 


4) Once you confirm the specified configurations are added or verified properly, click Save. 


With the above steps, you may create the required log source if it is not exist or edit the existing 
one, if its values are not configured as required. Then, go to Admin » Advance and click Deploy 


Full Configuration. 
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Custom Event Properties 


1) Goto Admin > Log Sources and confirm that QualysFimMultiline and 
QualysFIMIncidents Log Sources are Enabled. If itis disabled, please enable it. 

2) Goto Admin > Custom Event Properties and confirm that all 51 Qualys related 
properties are Enabled and are linked to “Qualys FIM JSON” and “Qualys FIM INCIDENTS” 
log source type. 


Qualys related properties are: 


Field name Expression Log Source Type 
Absolute File Path /"fullPath" Qualys FIM JSON 
Absolute Process Path /'actor"/'imagePath" Qualys FIM JSON 
Action /'action" Qualys FIM JSON 
Agent Version /"asset'/ "agentVersion" Qualys FIM JSON 
Asset Interfaces /"assetInterfaces" Qualys FIM JSON 
Asset Name /'asset'/'name" Qualys FIM JSON 
Asset Tags /'asset"/'tags'[] Qualys FIM JSON 
Attribute New /'attributes"//new"[] Qualys FIM JSON 
Attribute Old /'attributes"/"old"[] Qualys FIM JSON 
Category name /"profiles"[0]/"category"/"name" Qualys FIM JSON 
Event Alert /'name" Qualys FIM JSON 
Event Incident Id /'incidentId" Qualys FIM JSON 
Event Incident Name /'incidentName" Qualys FIM JSON 
Event UUID /"id" Qualys FIM JSON 
Event Type /"type" Qualys FIM JSON 
File Certificate Hash /"fileCertificateHash" Qualys FIM JSON 
File Hash /"fileContentHash" Qualys FIM JSON 
File Reputation Status /"reputationStatus" Qualys FIM JSON 
File Trust Status /'trustStatus" Qualys FIM JSON 

ncident Approval Status /'approvalStatus" Qualys FIM INCIDENTS 
ncident Approval Type /'approvalType" Qualys FIM INCIDENTS 
ncident Assignee /"reviewers' |] Qualys FIM INCIDENTS 
ncident Change Type /'changeType" Qualys FIM INCIDENTS 
ncident Correlation Rule ID | /'ruleId" Qualys FIM INCIDENTS 
ncident Correlation Rule "ruleName" Qualys FIM INCIDENTS 
Name 

ncident Disposition Category | /"dispositionCategory" Qualys FIM INCIDENTS 
ncident ID /"id" Qualys FIM INCIDENTS 
ncident Name /"name" Qualys FIM INCIDENTS 
ncident Status /"status" Qualys FIM INCIDENTS 
ncident Type /'type" Qualys FIM INCIDENTS 
Monitoring Profile /"profiles"[0]/"name" Qualys FIM JSON 

New Content /"newContent" Qualys FIM JSON 

New Registry Value Content | /"newRegistryValueContent" Qualys FIM JSON 

New Registry Value Type /'newRegistryValueType" Qualys FIM JSON 

Old Content /"oldContent" Qualys FIM JSON 

Old Registry Value Content /oldRegistryValueContent" Qualys FIM JSON 

Old Registry Value Type /oldRegistryValueType" Qualys FIM JSON 
Platform /"platform" Qualys FIM JSON 
Process ID /"actor"/"processID" Qualys FIM JSON 
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Field name Expression Log Source Type 
Process Name /"actor"/"process" Qualys FIM JSON 
Registry Name /'registryName" Qualys FIM JSON 
Registry Path /"registryPath" Qualys FIM JSON 
Rules ID /"profiles"[0]/"rules"[0]/"id" Qualys FIM JSON 
Rules name /"profiles"[0]/"rules"[0]/"name" Qualys FIM JSON 
Section ID /"profiles"[0]/"rules"[0]/"section"/"id" Qualys FIM JSON 
Section Name /profiles"[0|/"rules"[O|/"section"//name" | Qualys FIM JSON 
Source Host Name /"asset'/"interfaces"[0]/"hostname" Qualys FIM JSON 
User ID /'actor"/'userID" Qualys FIM JSON 
Qradar Data Type /'qradarDataType" Qualys FIM INCIDENTS 
Qradar Event Type /'qradarEventType" Qualys FIM JSON 
Severity Level /'severity" Qualys FIM JSON 


For the Qualys related properties, complete these checks: 


rn 


source type. 


Information. 


UT 


If any property is disabled, enable it. 
2) If any property does not belong to the Qualys FIM JSON/Qualys FIM Incidents log source 
type, please open it to edit and select Qualys FIM JSON or Qualys FIM Incidents as the log 


3) Do not select any specific Log source, select All in the drop-down option. 
1) Select the Category, with High Level Category as System and Low Level Category as 


Provide JSON or Incident expression from the above table in the Extraction using section. 
6) Finally, save the properties. 


For any change in Custom Event Properties, it is recommended to do Deploy Full Configuration. 
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Configure the App 


Qualys API Configurations 


1) Login to QRadar and go to the Admin tab. 
2) Scroll to “Apps” section and click Qualys FIM App Settings. A pop-up window opens. 


FIM Events FIM Ignored Events FIM Incidents Advanced 


To get started, an authorization token of respective user role and security profile is required. Please contact your system administrator to generate an authorization service token 
Note: Deploy changes once the token is created. 


QRadar Settings 


QRadar Authorization Token 


Log Source for Events Select v 


Log Source for Incidents Select v 


Qualys Settings 
Qualys API Gateway URL https://gateway.qg1.apps.qualys.com 


Qualys API Usemame Enter Qualys account user name 


Qualys API Password Enter Qualys account password 


O Use a proxy server for API calls 


Proxy Server 


Settings 


QRadar Authorization token is used while interacting securely with ORadar. You can obtain this 
token from Admin > User Management > Authorized Service. 


To generate the authentication token follow the steps: 


Go to Authorized Services in Admin tab 

Click Add Authorized Service. 

Enter the desired Service Name. 

Select User Role as Admin. 

Select Security Profile as Admin. 

Set the expiry date as required. 

Click Create Service and then click Deploy changes. 


NOD UB WN F3 


After providing the Authorization Token, under the settings tab, click Save to Proceed. 


8) Use the Settings tab to configure your Qualys credentials. Enter your Qualys API server, 
username and password in the appropriate fields. 


Log Source 


Select Log Source for Events as QualysFimMultiline 
Select Log Source for Incidents as QualysFimIncidents 
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FIM Events FIM Ignored Events FIM Incidents Advanced 


QRadar Settings 


QRadar Authorization Token — — e 


Log Source for Events QualysFimMultiline v 
Log Source for Incidents QualysFimlncidents v 
Qualys Settings 

Qualys API Gateway URL https://gateway.qg1.apps.qual 
Qualys API Username quays8mk4 


Qualys API Password | ss. 


Use a proxy server for API 
calls 


Proxy Server 


Save 


Proxy Configuration 

If you want Qualys app to use proxy while calling the API, configure proxy details. 
Select the check box to enable proxy. 

Add your proxy server and proxy port in «proxy server>:<proxy port» format. 


If your proxy needs authentication, add proxy user and proxy password along with server and 
port, in <proxy user>:<proxy password>@<proxy server>:<proxy port» format. 


FIM Events 
Use the FIM Events tab to configure and enable Fetch FIM Events. 


Settings FIM Events FIM Ignored Events FIM Incidents Advanced 


Enable FIM Events Fetch 

Cron Schedule E oed 

Start Date-Time 2017-01-01T00:00:00.000Z 
Filter action:'Content' and profile.cat: 
Select log level INFO v 


Save 


1) Tick the "Enable FIM Events Fetch" checkbox to enable this data input. 


2) In the "Cron Schedule" field, enter a valid cron format entry. This is a mandatory field if 
the "Enable FIM Events" checkbox is checked. Learn about cron expressions... 

3) Inthe "Start Date-Time" field, enter the date-time from which you want to fetch the FIM 
events data from the Qualys. 
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- This is an optional field. 
- The date-time format should be 'YYYY-MM-DDTHH:MM:SS.MSZ. e.g. '2019-02- 
25T18:30:00.000Z. 
- Ifthe value is not provided, then FIM events will be fetched from the current date of 
the browser. The start date shouldn't be less than 2017-01-01T00:00:00.000Z. 
4) Inthe "Filter" field, enter filter criteria to filter the FIM events. 
- This is an optional field. 
- The filter fields should be in Elastic Search Query format. 
5) From the Select log level drop-down menu, select the required log level out of the 
following options: 
- INFO 
- DEBUG 
- WARNING 
- ERROR 


FIM Ignored Events 


Use the FIM Ignored Events tab to configure and enable Fetch FIM Ignored Events. 


Settings FIM Events FIM Ignored Events FIM Incidents Advanced 


Enable FIM Ignored Events Fetch 


Cron Schedule Pala 

Start Date-Time 2017-01-01T00:00:00.000Z 
Filter action:'Content' and profile.cat: 
Select log level INFO v 


Save 


Tick the "Enable FIM Ignored Events Fetch" checkbox to enable this data input. 
In the "Cron Schedule" field, enter a valid cron format entry. This is a mandatory field if 
the "Enable FIM Ignored Events" checkbox is checked. 
3) Inthe "Start Date- Time" field, enter the date-time from which you want to fetch the FIM 
Ignored events data from the Qualys. 
- This is an optional field. 
- The date-time format should be 'YYYY-MM-DDTHH:MM:SS.MSZ. e.g. '2019-02- 
25T18:30:00.000Z. 
- Ifthe value is not provided, then FIM events will be fetched from the current date of 
the browser. The start date shouldn't be less than 2017-01-01T00:00:00.000Z. 
4) Inthe "Filter" field, enter extra filter criteria to filter the FIM Ignored events. 
-  Thisis an optional field. 
- The filter fields should be in Elastic Search Query format. 
5) From the Select log level drop-down menu, select the required log level out of the 
following options: 
- INFO 
- DEBUG 
- WARNING 
- ERROR 


FIM Incidents 
Use the FIM Incidents tab to configure and enable Fetch FIM Incidents. 


m 
——— 
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Settings FIM Events FIM Ignored Events FIM Incidents Advanced 


Enable FIM Incidents Fetch 

Cron Schedule jh 

Start Date-Time 2017-01-01T00:00:00.000Z 
Filter action:'Content' and profile.cat 
Select log level INFO v 


1) Tick the "Enable FIM Incidents Fetch" checkbox to enable this data input. 


2) Inthe "Cron Schedule" field, enter a valid cron format entry. This is a mandatory field if 
the "Enable FIM Events" checkbox is checked. Learn about cron expressions... 
3) In the "Start Date-Time" field, enter the date-time from which you want to fetch the FIM 
events data from the Qualys. 
- This is an optional field. 
- The date-time format should be 'YYYY-MM-DDTHH:MM:SS.MSZ. e.g. '2019-02- 
25T18:30:00.000Z. 
- Ifthe value is not provided, then FIM events will be fetched from the current date of 
the browser. The start date shouldn't be less than 2017-01-01T00:00:00.000Z. 
4) Inthe "Filter" field, enter filter criteria to filter the FIM events. 
- This is an optional field. 
- The filter fields should be in Elastic Search Query format. 
5) From the Select log level drop-down menu, select the required log level out of the 
following options: 
- INFO 
- DEBUG 
- WARNING 


- ERROR 
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Advanced 


Use Advanced tab to see the last success and last failure for FIM Events, FIM Ignored Events, and 
FIM Incidents. 


Settings FIM Events FIM Ignored Events FIM Incidents 
FIM Events 
Last Success Last Failure 
4 days ago 4 days ago 
Total 0 FIM Event(s) logged. QRFIM-310: Unknown exception during Qualys REST API request. Please check the job logs. 
FIM Ignored Events 
Last Success Last Failure 
4 days ago Never 
Total 0 FIM ignored Event(s) logged Nothing seen so far 
FIM Incidents 
Last Success Last Failure 
4 days ago Never 
Total 0 FIM Incident(s) logged Total 0 FIM Incident Event(s) logged Nothing seen so far 
Download Application Logs 
This includes the app.log, startup.log & background job's log files. 
Application ID: 1551 
Save 


Advanced Configuration 


These are the advanced and optional configurations which provides you additional benefits 
while using Qualys FIM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+! 


Index Management 


From the QRadar Console, you can use the Index Management tool to control database indexing 
on event and flow properties. By adding an indexed field in your search query, it helps to 
improve the speed of searches in QRadar by narrowing the overall data. Learn how to modify 
database indexing in the Index Management tool by making use of statistics before and after you 
enable or disable indexing on multiple properties. 


Steps to enable indexing for the specific custom event properties: 


1) On the navigation menu, click Admin and then click Index Management in the System 
Configuration section. 


2) Search, select and click Enable Index for the required properties. 
ə 
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© 
Show: All v 


Display: Last 30 Days v View: All v Database: Al {v 
Index management allows you to control database indexing, which can optimize search performance for frequently used criteria. The system supports multiple indexed properties. Properties that can be indexed in the system are listed below. 


WARNING Enabling indexing on too many properties, can have a negative impact on system performance. It Is important that you return to this page after adjusting indexing to monitor the health of the indexes. 
‘% of Searches Using Property % of Searches Hitting Index % of Searches Missing Index — Data Written 
| 98.8% B 


Qoae index (@ Dissbie index — — ey 
Database: All bal Show. All 


v 


Display: Last30 Days v 


WARNING: Enabling indexing on too many properties, can have a negative impact on system performance. It is important that you return to this page after adjusting Indexing to monitor the health of the indexes. 
% of Searches Hitting Index % of Searches Missing index — Data Written 
oKB 


View: All v 
Index management allows you to control database indexing, which can optimize search performance for frequently used criteria The system supports muñiple indexed properties. Properties tat can be indexed in the system are listed below 


3) Click Save. 


For more information, refer Index management. 
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How Qualys App works? 


What happens after configuration? 


Once you configure and enable FIM Events, Ignored Events, FIM Incidents, the application 
bundled with this extension will start fetching your FIM data. By default, it will pull 1000 events 
at a time. This value is set to such a small number to make sure the app can process your data 
without hitting the memory limit governed by QRadar. 

For first run, it might take some time depending on your scan volume. After that, subsequent 
pulls are incremental ones - fetching only new/changed data. 


How does data get into QRadar? 


Whenever cron runs any job (based on the cron schedule you defined), it makes outbound API 
call to Qualys, get the event JSON and sends it to the QRadar over socket using TCP port 
configured in “QualysFimMultiline/QualysFimIncidents” Log Source. Using DSM editor and 
“Qualys FIM JSON/Qualys FIM INCIDENTS” Log Source Type provided with this extension, QRadar 
then puts this data into the “events” table in Ariel database. 


Raw Data 


There may be times when you want to see the raw data. Follow these steps: 
1) Go to Log Activity tab and go to Advance Search field. 


2) In the Advance Search field, post the sample AQL below. (Tip - For more AQLs please check 
the Troubleshooting section in this guide.) 


select "User ID" , "Source Host Name" , "Asset Name" , "Event UUID" , "Event 
Alert" , "Severity Level" , "Process Name" , "Process Id" , "Absolute File 
Path" from events WHERE LOGSOURCENAME (logsourceid) = 'QualysFimMultiline' 


3) Select the date range for which you want to see the data. 
4) Click Search. 


Depending on the results, you may want to change the date-time range to widen/shorten your 
search span. You can also execute your own AQL queries to find more appropriate data. Please 
refer to fields in “Qualys FIM JSON” or “Qualys FIM INCIDENTS” log source type of DSM editor to 
know the Qualys fields. 


Input Logs 


While running, host detection input sends its log to QRadar over syslog. To see them, you can 
use the following AQL in Log Activity > Advance Search. 
Follow the same steps mentioned above with below AQL: 


For FIM Events and FIM Ignored Events 


This AQL has all the fields which the app parses. 


AQL: select "Absolute File Path", "Absolute Process Path", "Action", "Agent Version”, "Asset 
Interfaces”, "Asset Name”, "Asset Tags”, "Attribute New", "Attribute Old", "Category Name”, 
"Event Alert" , "Event Type”, "Event UUID", "File Certificate Hash" , "File Reputation Status" , "File 
Trust Status", "Monitoring Profile", "New Content”, "New Registry Value Content”, "New Registry 


Value Type","Old Content", "New Registry Value Content", "New Registry Value Type”, "Platform", 
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"Process Id", "Process Name", "Qradar Event Type", "Registry Name", "Registry Path", "Rules ID", 
"Rule Name”, "Section ID", "Section Name", "Severity Level", "Source Host Name", "User ID", 
DATEFORMAT (devicetime,'yyyy-MM- dd h:m:ss:SSS z')as "Log Source Time" FROM events 


WHERE LOGSOURCENAME(logsourceid) = 'QualysFimMultiline' 


To fetch FIM Events specific data add this option at the end of the AQL: 


AND "Qradar Event Type"- 'FIM EVENTS' 


To fetch FIM Ignored Events specific data add this option at the end of the AQL: 


AND "Qradar Event Type"- 'FIM IGNORED EVENTS' 


For FIM Incidents and Incident Events 


This AQL has all the fields which the app parses. 


SELECT "Incident ID" , "Incident Name" , "Incident Status" , "Incident Type" 
, "Incident Approval Type", "Incident Approval Status" , "Incident Assignee" 

"Incident Change Type" , "Incident Correlation Rule ID" , "Incident 
Correlation Rule Name" , "Incident Disposition Category" from events where 
LOGSOURCENAME (logsourceid) = 'QualysFimIncidents' and "Qradar Data 
Type"-'FIM INCIDENTS' 


SELECT "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent 
Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" , "Attribute New" 
, "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event 
UUID" , "File Certificate Hash" , "File Hash" , "File Reputation Status" 
"File Trust Status" , "Monitoring Profile" , "New Content" , "New Registry 
Value Content" , "New Registry Value Type" , "Old Content" , "Old Registry 
Value Content" , "Old Registry Value Type" , "Platform" , "Process Id", 
"Process Name" , "Qradar Event Type", "Registry Name" , "Registry 
Path","Rules ID", "Rules Name", "Section ID", "Section Name", "Severity 
Level", "Source Host Name", "User ID", DATEFORMAT (devicetime,'yyyy-MM- dd 
h:m:ss:SSS z')as "Log Source Time" FROM events WHERE 
LOGSOURCENAME (logsourceid) = 'QualysFimMultiline' AND "Qradar Event Type"- 
'FIM INCIDENT EVENTS' 
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Dashboard 


QRadar displays a dashboard with 11 widgets. These widgets display different details with option 
to select a date range. 

Go to Qualys FIM > Dashboard > Select a date range for which you want to view the changes. 
The different widgets of dashboard are: 


Total Event Count - Displays count of total FIM Events in the selected date range. 
c 


309.19K 


Total Incident Count - Displays count of total FIM Incidents in the selected date range. 
c 


Events by Profile - Displays profile wise distribution of events. On mouse hover, the name of the 
profile and the count of events is displayed. 


Events by Profile 


mm PCF-10046 pm In-POD1 HE PCF-10.0.48 


Top Changes by User - Top changes done by user in FIM events are displayed here. 


Top Changes by User 


v 


ME root NENNEN ntauthoritylocalservice ga NT AUTHORITYSYSTEM 
ENENE ntauthoriysystem. ga NT AUTHORITYNETWORK SERVICE 
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process in FIM events are displayed here. 


Events by Severity - Displays severity wise distribution of all FIM Events in the selected date 
range. By hovering over the mouse, the severity bars shows the count of events. 


File Changes by Change Action - FIM Events for the file changes by their change action are 
displayed here. Top 10 actions for file changes are presented with their count. 


Create Delete Content Rename Attributes Security 
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Directory Changes by Change Action - Graphical display of directory changes by change action 
in the selected date range. 


Directory Changes by Change Action 


2500 


Top 5 Incidents Based on Event Count - Graphical display of top 5 incidents based on event 
count in the selected date range. 


Top 5 Incidents Based On Event Count 


Incident-4 
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Incidents by Approval Status - Graphical display of incidents by their approval status in the 
selected date range. 


Incidents by Approval Status 


Ignored Events - Graphical display of total FIM Ignored Events in the selected date range. 
Information in bar chart is displayed according to: 


If the start and end date difference is in the year(s), then show the bar chart year-wise. 
Else If the start and end date difference is in the month(s), then show the bar chart 
month-wise. 


Else If the start and end date difference is in the day(s), then show the bar chart day- 
wise. 


Else If the start and end date difference is in the hour(s), then show the bar chart hour- 
wise. 


Else If the start and end date difference is in the minute(s), then show the bar chart 
minute-wise. 


Note - If the date difference is » 30 days, then it is converted to month. 


100 


oe88B5B8ES823885 
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Reports 


Reports Tab has different criteria for the user to view the reports. 


IBM QRadar 


Dashboard Offenses Log Activity Network Activity Assets Reports Admin Qualys VM Qualys FIM 


Dashboard Reports Search 


Incident Status 


m -Time 2021-07-05 10:4¢ End Date-Time 2021 


Events By Severity 


Ignored Events 


© Total Incident Changes 


7 


File Changes By Change Action 


Changes By Type 


Incident Status 

Displays reports based on status of the Incidents. 
1. Select a required date range. 
2. Select Status as Open/Closed/Reopened. 


3. Click Search to view the NEUE 


Incident Status 


Start Date-Time 2 


01 20:15 End Date-Time — 2021-09-02 20:15 


Status tj OPEN © CLOSED O REOPENED 

Showing 1 to 4 of 4 entries | First | Previous | 4 | Next | Last 
CREATED ON NAME TYPE STATUS ASSIGNEE DISPOSITION CHANGE TYPE APPROVAL STATUS 
2021-08-18 10:50  Meident2 DEFAULT OPEN Bmkt T i T 
2021. Monete yo PARIET quaysm nu "i na 
2021-08-18 10:51 'Peidentà DEFAULT OPEN quaysémk4 nul nul nul 

Approval Type: MANUAL 
2021-08-18 10:54 Incldent& DEFAULT OPEN quaysBmk4 null null nul 

Approval Type: MANUAL 
2021-08-18 10:56 Incident? DEFAULT OPEN quaysämké nul nul nul 

i Approval Type: MANUAL á 

Showing 1 to 4 of 4 entries First || Previous | 1 | Next | Last 


Events by Severity 

Displays reports based on severity of the Incidents. 
1. Select a required date range. 
2. Select Severity as 1, 2, 3, 4, or 5. 
3. Click Search to view the reports. 


Events By Severity 


20 of 18.765 


TARGET ACTION 


012234b3-c89d-4764-a72a-7 d93aed4ecd1 Cons WIN2012-93 
5 content 
CWndowsSystem32L ogF tes'Sorm0 1 2234D3-cBSd-4 764-87 2n-7c93n0ed4ecd! 
_ 012234b3-:894-4764-a72a-T d93aedAecd t -— sena WIN2012-93 
C Windows'Syssom32LogF tes Scmo12234b3-c890-4 764-a72a- 7 93aed4ecd 1 
5667795e-4816 Ae3c-8a64-2ac679b16740 Content VICES qx WIN2012-93 
Con 
C Windows System 32\L og tes Som 5667 795e-4806-493c-8064-22c679616740 x) 
40377c15-dbe3-4a3a-8371-b60a9cc8eaf1 a VICES Ox. WIN2012-93 
C:\Windows Systom32\LogFtes\Som40377cfS-dbe2-4a30-857 1 Léa cc Sont 1 


566779S0-48%6 4o3c-8a64-2acé79b16740 servic WIN2012-93 


Ignored Events 
Displays reports of ignored events. 
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1. Select a required date range. 
2. Click Search to view the required reports. 
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Ignored Events 


Start Date-Time 2021-05-01 11:03 End Date-Time | 2021-08-25 1103 | Search | 


Showing 1 to 20 of 100 entries | First | Previous 1 2 3 4 5 Next Last 
TIME TARGET ACTION ACTOR HOST SEVERITY 
IMP: NTS(45889520-d6e0-11e1-b79d-001018953a06}. TxR.0. 
sends = = Eee TiWorker exe WIN2012-03 
2021-06-18 1049  CWindows!SystemäZconfgiCOMPONENTS/45889520-d6e0-11e1-b70d- Content eise ee E ree 5 
00101896. an 


COMPONEN T8(45889520-d6e0- 11¢1-b79d-001018953a06). TxR_bif 
2021-06-18 10:49 C:\Windows\Systemn32\config\ COMPONENT S(45889520-d660- 11¢1-b79d Content 
00101895 


SYSTEM WIN2012-93 
NT AUTHORITY TEM 


COMPONENTS(45889520-d6e0-1161-b79d-001018953a06). TxR. bif SYSTEM WIN2012:03 
2021-06-18 10:49 C:Windows!System32wconfig/COMPONENTS(45889520-d6e0-11e1-579d- Content videre es 
00101895 > 
IPONENTS(45899520-600-1101-b79d-001018953a06). TxR.bif 
TER SONNERIE RE s : im SYSTEM WIN2012-93 
2021-06-18 10:49 C3Windows!System32configCOMPONENT S/45889520-d6e0- 116 1-b79d- Content N TE 5 


File Changes by Change Action 

Displays reports based on change actions of the incidents. 
1. Select a required date range. 
2. Select Action as Security, Attributes, Delete, Rename, Create, or Content. 
3. Click Search to view the reports. 


File Changes By Change Action 


Mat DateTime — 2021-05-01 11 04 Kn$Ose-Tme 2021-06-25 11 04 E 


Actor Securty Amb fers [wt Rename © Crewe Core 
om #4 ore | ‘ € V ~ 
TME TARGET ACTION ACTOR HOST SEVERITY 
COMPONENTS (458893202640. 1861 -b 9000101495 Moet) T«R but 
TWioreer oso WIN2012-93 
201-0840 0194 Cod Sy ater X2" config COMPONE NT SAS DS 3 60-119 1 -bTàd- reste E m 3 
00701886 
COMPONENTS (458895702640. 1801 -b7 hd 0001 Rees), TER. f re 
Tvoros ee MINO 
201-060 01 34 Cette a eon COMPONENTS/&SSNUSQO-3540- 11e 1-bIÓd- — Create 5 
00701896 
COMPONENTS|45899570-3690- 199 1-b 7 91-00101895. Leek) TER 2 re SET 
- Trees exe WIN2012«43 
2010542 01.4 C Windows Syste 2 conf COMPONENTS 454205 20-50- 1 Le 1 LTD Cese á 5 
w005 : 
COMPONENTS|45889520-2660- 110 1-b? 94-0010 ES Se06). Tx 0 re " wane 
Tvoreac exe WINQ012-009 
0802 0104 C Windows System IQ conf COMPONENT Si 658895200560» 1561 b T9: Come 4 é í 5 


Changes by Type 

Displays reports based on change by type of the incidents. 
1. Select a required date range and Type as File, Directory, Key, or Value. 
2. Click Search to view the reports. 
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Changes By Type 


- B Fe © Oeectory Kay oe 
Le 9 tte 20 0f 18 727 entres 1 ) | ss LR lew 
Tue TARGET ACTION ACTOR HOST sevet 
Bie 012234b 3c 8065-4764.2722-T d Yale ci 2 services eue WIN2012-00 
2001-26-01 11:25 Cortert 5 
now System 1? Logf tes Som * 22340 0099-4 P648 7 29. 7 Dm eco t à 
= O17734b3< #9641643) 7a Tot Yeh cd » services ene WIN2012-93 
01-05-05 11:25 Content 5 
MOI LOF tes Scr 1277 94D thd 764-2720 7 etea 
7 566TT356-AB0G o c -RaC4-22:6€7965€740 = recon ess WIN2012-40 
2001406-0* 1124 Cortert $ 
C Windows System 12 Log bes Som T Tet 40 abt 2806 P9016? 62 N 
403 15-5 )-4a 3a 887 1 tax ceat t Merc ene WIN2012-9» 
W100: 1124 Cortent 
C Windows: System)2 Logf des-Scm)7T 015-306 3-48 )a-887 1 -t6Caficcheart 
5S05TTY56AB0 o c Ratt Pach TIO 16740 services exe WIN2012-00 
ariari 


209125601 MM | : : 
C "Window: System Lo bes Scr d T T9 A895 e ke afl 20679016742 


Note: Maximum 20 rows are displayed in one page. To view rest of the pages, use pagination 
option. 
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Search 


Dashboard Offenses Log Activity Network Activity Assets Reports Admin Qualys VM Qualys FIM 


Dashboard Reports Search 


x 
. Incident Based Events 
Incident Based User Based Events 
Process Based Events 


Start Date-Time 20 nd Date-Time 


File Based Events 


| Asset Based Events 
Select 9 Orta Search 


Incident Based Events 
To search for incident based events: 
1. Select a required date range. 
2. Select either Incident ID(s) or incident Name(s) from the drop-down option. 


Log Activity 


2021-09-02 18:18 


lepots Admin  QuahsVM Qualys FIM System Time: 5:49 PM 


Incident Based Events 


Start Date-Time 2021-09-01 17:51 End Date-Time 2021-09-02 17:51 

Select t t 
Incident ID(s) Firs Previous | Next | Last 
Incident Name(s) ACTION ACTOR HOST SEVERITY 


3. If Incident ID(s) is selected: Add single or multiple incident Ids in the Contains field. 
If Incident Name(s) is selected: Add single or multiple incident names in the Contains 
field. 

4. Click Search to view the results. 


User Based Events 
To search for user based events: 
1. Select a required date range. 
2. Adda username or multiple usernames in the text field provided to search for the 
required incident. 
3. Click Search to view the results. 


User Based Events 


Tue wort ASTON aston "ost seventy 
terepre » m 
r Dee 
mere 
EST a 
pa s va 
geogie-eccounts- qua tus ren 5 vate 


wedge boot. ona tut 


gocqie-accounts- qme tus a yond 5 cate 


Process Based Events 
To search for process based events: 
1. Select a required date range. 
2. Select either Process Name(s) or Absolute Process Path(s) from the drop-down option. 
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Process Based Events 


Start Date-Time 2021-09-01 17:57 End Date-Time | 2021-09-02 17:57 
Select 
Process Nani) First | Previous | Next | Last 
7 Absobite Process Patito) —  — ACTION ACTOR HOST SEVERITY 


3. If Process Name(s) is selected: Add single or multiple names in the Contains field. 
If Absolute Process Path is selected: Add single or multiple paths in the Contains field. 
4. Click Search to view the results. 


File Based Events 

To search for file based events: 

1. Select a required date range. 

2. Select either File Name(s) or Absolute File Path(s) from the drop-down option. 


Ofenses LogActivly Network Activity Assets Repons Admin — QudysVM Qualys FIM System Tano 6 04 PM. 


File Based Events 


Start Date-Time — 2021-09-01 18:06 End Date-Time 2021-09-02 18:06 

Select . : 

File Name(s) | First Previous Next Last | 
-Absoluto Fie Path(s) — ACTION ACTOR HOST SEVERITY 


3. If File Name(s) is selected: Add single or multiple names in the Contains field. 
If Absolute File Path is selected: Add single or multiple paths in the Contains field. 
4. Click Search to view the results. 


Asset Based Events 
To search for asset based events: 
1. Select a required date range. 
2. Select Asset Name(s) or Asset Tag ID from the drop-down option. 
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Log Activily —— NeiwoAcBély Assets 


Asset Based Events 


Start Date-Time 2021-09-01 16:46 End Date-Time ^ 2021-09-02 16:46 
Select Ne a 
Asset Tag ID Next | Last | 


Asset Name(s) ACTION ACTOR HOST SEVERITY 


3. If Asset Name(s) is selected: Add an asset name or multiple asset names in the text field 
provided to search for the required incident. 
If Asset Tag ID is selected: Add a Tag Id. Note: You can add only single tag since one tag 
may contain multiple assets. 

4. Click Search to view the results. 


Asset Based Events 


Start Date-Time 2021-09-01 14:12 End Date-Time 2021-09-16 14:12 
NET. 
Nomi-Arc-window | Search. 
Showing 1 to 20 of 35 entries First | Previous | 1 | 2 | Nem | Last 
|| JL J L L 
NME TARGET ACTION ACTOR HOST SEVERITY 
EtwRTTerminal-Services-LSM-ApplicationLag-53796.etl 
YSTEM Arc: 
2021-09-02 03:15  C\Windows\System3ZLogFiles\WMnRtBackuplEtWwRTTerminal-Services-LSM- Delete SE Sms IE aoe. 2 
x VT AUTH 3YSTEN 
EIWRTTerminal-Services-LSM-ApplicationLag-56000.etl 
YSTEM NombAro: 
2021-09-0207:50 — CAWindowsiSystem3ZiLogFilesWMhRIBackup'EtwRTTerminal-Senvces-LSM- Delete Rs EL — Ü Honor 2 
A. ee ire: 
FAEB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock devicecensus exe Nomi-Arc-window 
2021-09-02 09:01 Content 4 
CWindows\System3Ziconfigisystemprofie AppOataiLocanD3DSCachel13186. = NT AUTHORITYISYSTEM 
EtwRTTorminal-Services-LSM-ApplicationLag-32424.eti 
YSTEM iM Arc 
2021-09-02 10:33 — ClWindowsiSystem3ZiLogFilesWMhRIBackup'EtwRTTerminal-Sences-LSM- — Delete. ae EN RERO ON 2 


YRITYISYSTEM 
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Asset Based Events 


Start Date-Time 2021-09-01 14:12 End Date-Time 2021-09-16 14:12 
Asset Tag ID 
Showing 1 to 20 of 604 entries First | Previous | 1 | 2l3lals | | 31 | Next | Last 
TIME TARGET ACTION ACTOR HOST SEVERITY 
2021-09-02 01:08 StartupProfileData-Noninteractive Content poma e - MSI 
C:\Windows\System32\configisystemprofie\AppDatalL ocalMicrosoff\Windo NT AUTHOR i 
2021-00-02 0108 StartupProfileData-Noninteractive "E powersheliexe MSI z 
C-Windows!System3Z.configisystemprofieAppDatalLocah Microsoft Windo NT AUTHORITNSYSTEM 
StartupProfileData-Noninteractive powershell exe MSI 
2021-09-02 01:08 Content aset 4 
C'\WindowsSystem3Ziconfigisystemprofie AppDataiL ocalMicrosoftiWindo NT AUTHORITNSYSTEM 
2021-09-02 01:14 StartupProfileData-Noninteractive Content powers hated és MSI 
CAWindows!System32iconfigisystemprofie AppDatalLocahMicroso Windo. NTA F i 
Sta Profil ita-Nonli ti ershell. MSI 
FRE rtupProfileData-Noninteractive RAD powenbel exe ; si 


CAWindows|System32wconfigisystemprofe'AppDatalLocahMicrosoftWindo. F 


Uninstalling the app 


1) Uninstall the FIM app from Admin » Extension management. If you are asked to 
Remove or Preserve, then remove everything. 
2) Check if all the CEPs are deleted for "Qualys FIM JSON" and "Qualys FIM Incidents" 
(whichever is required) log source type in Admin » Custom Event Properties. 
3) Delete the FIM app related: 
e Admin > Log Source 
e Admin > Log Source Extensions 
4) Open the Admin > DSM Editor 
e Select the "Qualys FIM JSON" log source type. Check if all the custom fields are 
deleted and override fields are not override in the Properties tab. 
AND 
e Select the "Qualys FIM INCIDENTS" log source type. Check if all the custom fields 
are deleted and override fields are not override in the Properties tab. 
e Delete the Event mapping(s) related to the FIM app. 
e Disable: 
Configuration > Log Source Autodetection 
Configuration > Enable Log Source Autodetection. 
5) Then delete the "Qualys FIM JSON” and “Qualys FIM Incidents" log source type in Admin 
> DSM Editor. 
6) Log out. 


While uninstalling the app in unfortunate cases, it should be done cleanly. Any leftover artifacts 
can potentially interfere with next installation attempt creating unstable state. 

When app gets installed following components will get installed in QRadar, so to uninstall 
completely following components also need to be removed. 
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Troubleshooting 


If any error (example: socket connection on the port xxxx configured for FIM 
log sources is refused) is displayed on application log or in app configuration 
under the Advanced tab > Last Failure 


Perform the following steps: 


1. Disable all the data inputs from the application configuration, then: 
2. Admin » Advanced drop-down » Deploy Full Configuration 

3. Admin » Advanced drop-down » Restart Event Collection Service 

4. Enable the required data inputs 


Note: Please wait for the Event Collection Service to restart before enabling the FIM job. 


If user is not able to pull data without proxy 


If the user is not able to pull the data without proxy, please check with your networking team 
and the team responsible for providing the ORadar host machine. 


If user is not able to pull data with proxy 


If the user is not able to pull the data with HTTP proxy and not HTTPS proxy and vice versa, 
please check with your networking team and the team responsible for providing the ORadar host 
machine. 


If Token returned is Null 


If the user observes that the ETL says "Received auth token from API Gateway Server" and then 
the process terminates. It means the Token returned is None. Please run the curl to verify the 
same in the app container from /opt/app-root/app directory" 

e Ifthe proxy is not needed remove the --proxy option and proxy: 
curl --location --request POST '«gateway api»/auth' --proxy «proxy» --header 'Content- 
Type: application/x-www-form-urlencoded' --data-urlencode 'username-«POD 
username»' --data-urlencode 'password-«POD password» --data-urlencode token-true' 
e Ifthe JWT token is not returned please check with your networking team or the team 
responsible for providing the ORadar host machine for proxy or firewall-related issues. 
e Ifthe JWT token is returned, please contact Qualys support. 


If Log Source error occurs 


If the Log source shows this message, "This log source uses an undocumented protocol. IBM 
Support cannot troubleshoot problems with receiving event data. Events received by an 
undocumented protocol may be in a format unrecognized by the DSM. Use the DSM Editor to 
resolve any parsing issues." please refer to these links from IBM: 


e https://www.ibm.com/docs/en/dsm?topic=configuration-undocumented-protocols 
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e https://www.ibm.com/docs/en/gradar-common?topic=app-undocumented-protocols 


If you get errors for AQL 


e Ifyou get N/A for any field value, this means the payload which has these fields will 
show the data and if the fields are not present it will show N/A. N/A is provided by 
QRadar if the field is not available in the payload. 

e Ifyou get this error in the Activity Log tab "Field ‘<field name>" does not exist in catalog 
'events". Please manually type the field name to get the exact match for that value. 


If you get “[Errno 111] Connection refused” error 


Following error messages will be displayed for different cases: 
ERROR: Socket connection on port 12400 configured for 'QualysFimMultiline' log source is 
refused, 'Deploy Full Configuration’. Error while connecting to socket: [Errno 111] Connection 
refused This error occurs when the Listen port is not LISTENING. You need to do the Deploy Full 
Configuration on QRadar box to resolve this issue. 
Verify the following points: 
e https://www.ibm.com/support/pages/node/6395080 is performed or not 
e Can be verified as > if the license is patched user can see Live Events under Log Activity 
otherwise no events are visible to the user 
e Verify user performed the 'Deploy Changes’ after the application installation 
This is the last step that could be authorized by QRadar Admin > Do ‘Full Deployment 
e Ifthe above steps do not work for a user then they should contact Qualys Support 


If widgets are taking time to load/display data 


Try loading each widget separately. After selecting a date range, the widgets might take time to 
fetch the data, hence try to refresh each widget separately. 


Qualys Support 


If you tried the troubleshooting steps but still need help, please contact Qualys Support at 
https://www.qualys.com/support/ 


Provide the following information to Qualys Support: 


- Qualys App version number 

-  QRadar version number, including the patch number 

- Steps to reproduce the issue 

- Note any manual changes done to Qualys app’s code 

- Note any manual changes done to Qualys app’s container 

- Please download the logs from Admin > Qualys FIM App Settings page and attach 
them to your support case. 
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Appendix 


User will get this information under Application Configuration > Advanced tab. 


Error code | Meaning 


RFIM-100 The /opt/app-root/store/qradar_fim_app.db is either missing or is in read-only mode as it 
must have updated by another file. In that case please provide permission to write. 


RFIM-101 Not able to connect to the qualys_fim_config table in The /opt/app- 
root/store/gradar_fim_app.db file, please check if the table is available in the db file. 
RFIM-102 The configuration key-value is not available in the qualys_fim_config table 
RFIM-103 Some error is encountered while adding or updating the qualys_fim_checkpoint table. 
RFIM-104 Some error is encountered while adding or updating the qualys fim config table. 
RFIM-105 Some error is encountered while getting the data from the qualys fim checkpoint table. 
RFIM-106 Some error is encountered while adding or updating the qualys fim job status table. 
RFIM-200 To make the REST API call to QRadar, we use HTTP headers. Some issue is encountered 


for creating the headers. Please check the job logs. 


RFIM-201 While making the ORadar REST API call we encountered an error that is not parsable. 
Please check the job logs. 


RFIM-202 We did not found the 'Qualys FIM JSON' Log source Type in the DSM Editor. Please 
reinstall the app. 


RFIM-203 We did not found the 'QualysFimMultiline' Log source Type in the DSM Editor. Please 
create a log source or reinstall the app. 


RFIM-204 We could not connect with the ORadar REST API server. Please check with IBM support. If 
there is an issue with the QRadar host machine. 


RFIM-205 While fetching the Log source information we encountered an error please check the job 
ogs. 


RFIM-206 Please update a correct QRadar Auth token on Qualys FIM app settings page. 

RFIM-207 Got an error from QRadar REST API. Please contact IBM support. 

RFIM-208 No Log source information available in QRadar for a selected Log Source Id. 

RFIM-209 We encountered an error while validating the Qradar related settings before starting the 


job process. Please check the job logs for more information. 


RFIM-210 Connection with QRadar host machine over socket is lost. Please check if the DSM PORT 
is open on the QRadar host machine. Restart the job process. 


RFIM-211 Could not connect with QRadar host machine over the socket. Please check if the DSM 


PORT is open on the QRadar host machine. 

RFIM-212 We encountered an exception while trying a socket connection to QRadar. Please check 
the job logs for more information. 

RFIM-213 Events and Incidents Listen port does not match. 

RFIM-214 FIM log source is not configured correctly. Please provide proper log source identifier and 
isten port. 

RFIM-300 There is some error with the saved Qualys JWT Auth token. However, do not worry we 


will generate a new token. 


RFIM-301 Could not get Qualys JWT Auth token. Please check job logs for more information. 


RFIM-302 We were not able to get a valid response from Qualys API. Please check the job logs. 


RFIM-303 Qualys REST API concurrency limit reached. We will retry to fetch the data. If you need 
to improve the job process speed, please increase the concurrency limit for your account. 


RFIM-304 You are unauthorized to make Qualys JWT Auth token call. Please check with Qualys 
support for more information. 


RFIM-305 Saved Qualys JWT Auth token is expired. Do not worry we will generate a new token. 
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RFIM-306 We got an unexpected response while getting Qualys JWT Auth token. However, do not 
worry we will generate a new token. 
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RFIM-307 Invalid Qualys POD details provided. Please provide the correct information. 

RFIM-308 Check if Qualys POD credentials are correct. 

RFIM-309 Socket error during Qualys REST API request. Please check with Qualys support for more 
information. 

RFIM-310 Unknown exception during Qualys REST API request. Please check the job logs. 

RFIM-311 Server URL or Username or Password should not be empty. Please update them from the 
app settings page. 

RFIM-312 exception while validating the Start Date for Job. Please provide the Date-Time format as 


YYYY-MM-DDTHH:MM:SS.msZ & greater than 2017-01-01T00:00:00.000Z. 


RFIM-313 Invalid Start Date for Job. Please provide the Date-Time format as YYYY-MM- 
DDTHH:MM:SS.msZ & greater than 2017-01-01T00:00:00.000Z. 


RFIM-314 We encountered an exception while validating the Qualys app configuration. Please 
check the job logs. 


RFIM-315 An invalid proxy is provided on the app settings page. Please validate if the proxy details 
provided are valid. 


RFIM-316 Got None in the API response. Qualys JWT Auth Token not received. Please check with 
Qualys support if the POD details are correct and authorized for FIM API. 

RFIM-317 There was an ambiguous exception that occurred while handling your API request. 

RFIM-318 Got ConnectionError while API request. 

RFIM-319 API request timeout reached. Will retry once. 

RFIM-320 Received 401 unauthorized from JWT auth token API response. 

RFIM-321 Received 403 forbidden from JWT auth token API response. 

RFIM-400 We did not get any count from Qualys API for your POD. No new event in the 


subscription. 
RFIM-401 We found some errors in the JSON data we received from Qualys API. Please check the 
job logs and the JSON file for the API request for more information. 


RFIM-402 Could not get the FIM data from Qualys REST API for the job. 
RFIM-403 Not able to parse the incomplete JSON data in file 


RFIM-500 Please check the job logs for more information on which database file is required to run 
the job. 
FIM-501 Log source not selected. Please select a valid Log source on the app settings page. 


FIM-502 We were not able to decrypt the proxy password. Please check with Qualys Support. 


FIM-504 We were not able to decrypt the API password. Please check with Qualys Support. 


R 
R 
RFIM-503 Please provide a valid proxy host on the app settings page. 
R 
R 


FIM-505 Due to some exceptions, we are not able to rename the Qualys REST API response JSON 
file. Please check job logs for more information. 
RFIM-506 Due to some exceptions, we are not able to remove the Qualys REST API response JSON 


file. Please check job logs for more information. 


RFIM-507 Due to some exceptions, we are not able to save the Qualys REST API response JSON file. 
Please check job logs for more information. 
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RFIM-508 You are trying to run the job which is already running. Please do not run another job 
manually. 

RFIM-509 While cleaning the JSON files we encountered an exception. Please check the job logs. 

RFIM-510 FIM Incidents log source not selected. Please select a valid Log source on the app settings 
page. 
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